PRIVACY POLICY

Version 1

Effective from May 2018

Introduction & Description – This policy defines the legal basis for processing and sharing privileged personal and sensitive information held and processed by Community Case Management Services Ltd (CCMS Ltd) relating to information stored, processed and shared by CCMS Ltd regarding all employees, all case managers, suppliers, customers and the personal medical records of our customers clients.

1. Definitions

For the purpose of this policy the following definitions apply:

  • CCMS Ltd means Community Case Management Services Ltd, any reference to CCMS Ltd within this policy referrers to the legally established company of Community Case Management Services Ltd which is listed on with Companies House under reference 06774087.
  • Company head office means CCMS Ltd, Unit 23 & Unit 18b Blackwell Business Park, Blackwell CV36 4PE.
  • Case managers means nursing, healthcare or other qualified professionals appointed to manage the case that are legally separate trading entities (either self-employed sole traders or limited companies) that are appointed by CCMS Ltd to provide case management services.
  • Staff means direct employees of CCMS Ltd.
  • Support Worker means an individual that is recruited by CCMS Ltd on behalf of a client/customer and not employed by CCMS Ltd.
  • GDPR means General Data Protection Regulation (GDPR) (EU) 2016/679 which is a regulation in EU law on data protection and privacy for all individuals within the European Union.
  • DPA means Data Protection Act 1998.
  • EU means European Union and current and future member countries including the UK pre/post departure from the union.
  • Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about.
  • Data controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed.
  • Data processor in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • Processing in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.
  • Client means the individual named as the data subject by the data controller and the individual that the required medical report relates to.
  • Customer means the entity that has commissioned the report and/or case management concerning the data subject (client) and which has full legal authority to do so.
  • PIA means privacy impact assessment.
  • Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
  • Individual rights mean the 8 rights for individuals as set out in the GDPR.
  • Personal Data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. As defined by the GDPR.
  • Sensitive Personal Data means the data as defined by Article 9 of the GDPR.

2. Acknowledgments

CCMS Ltd recognises all rights and responsibilities provided for in the DPA and GDPR legislation

3. Privacy Statement

CCMS Ltd respects privacy and will only use information shared with us for the specified and lawful purposes as provided for under the GDPR. CCMS Ltd will use and process your information responsibly and will take all appropriate organisational and technical measures to safeguard your information from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

CCMS will share personal and sensitive information that is collected by CCMS with the data controller, client, instructing solicitor, appointed deputy and with family members.

CCMS Ltd will not share information for any purpose other than the specific purpose it was shared with CCMS Ltd. Information regarding what information is shared is detailed in sections 6 to 11 of this policy.

At no time now or in the future will CCMS Ltd share personal information with any 3rd party for the purpose of marketing, advertising or statistical analysis.

4. Data Processing

During the course of providing services to clients, suppliers and staff the following personal information may be processed by CCMS Ltd:

  • Staff personal information
  • Support worker personal information
  • Supplier personal information
  • Case managers personal information
  • Customer personal information
  • Client personal information and medical records
  • Website cookie policy

The information processed may be in many different forms and this policy covers data of all types. This includes but is not limited to:

  • Emails
  • Letters
  • Doctors notes
  • Text messages
  • IM messages
  • Application forms
  • Certificates
  • Photographs
  • Medical scans

5. Privacy Impact Assessments

CCMS Ltd has deemed it necessary to conduct a Privacy Impact Assessment in regard to the processing of client information.

6. Staff Personal Information

6.1 Lawful basis for processing - where personal information is collected about staff and employees, CCMS Ltd is defined as the data controller and our lawful basis for processing personal and sensitive information is the legal obligation we have to process your personal information in respect to UK employment law, tax, pensions and payments to you.

6.2 Data collected – The following list is an example of the data that is collected and processed regarding all staff and employees of CCMS Ltd:

  • Name, address, email address and contact telephone numbers.
  • Application form and CV.
  • Emergency contact details – name and telephone.
  • Date of birth.
  • National Insurance number.
  • Pension information.
  • Bank account information.
  • UK right to work documentation.
  • Disclosure and Barring Service checks (DBS).
  • Work experience and references.
  • Supervisory information.
  • Training certificates.

6.3 Data Sharing – within the confines of the lawful basis for processing CCMS Ltd is required to share the following information:

  • Salary and employment information with Her Majesty’s Revenue and Customs (HMRC)
  • Personal information and your right to work documentation will be shared with the employer, deputy, client and the employment law support providers known as Peninsula, Citation and Premier Care.
  • Limited details with the company pension provider Nest Pensions, or your elected pension scheme.
  • Your personal details will be stored in the accounting system at the company head office.
  • Your emergency contact details will only be shared with senior managers and directors only when needed for making emergency contact.
  • CCMS Ltd will not share your personal information collected for the purpose of employment.

6.4 Retention – Information collected and processed during the recruitment and employment process for all CCMS Ltd staff is as follows:

For employees of CCMS Ltd personal information will be retained for the duration of employment and for a period of six years thereafter.

For all unsuccessful applicants’ personal information will be retained for the duration of the recruitment process and for a period not exceeding 6 months after the recruitment process has been concluded.

7. Support Workers Personal Information

7.1 Lawful basis for processing - where personal information is collected about support workers recruited by CCMS Ltd for and on behalf of clients & customers, CCMS Ltd is defined as the data processor and our lawful basis for processing personal and sensitive information is the legal obligation we have to process your personal information in respect to UK employment law, tax, pensions and payments to you.

7.2 Data collected – The following list is an example of the data that is collected and processed regarding all support workers:

  • Name, address, email address and contact telephone numbers.
  • Application form and CV.
  • Emergency contact details – name and telephone.
  • Date of birth.
  • National Insurance number.
  • Pension information.
  • Bank account information.
  • UK right to work documentation.
  • Disclosure and Barring Service checks (DBS).
  • Work experience and references.
  • Supervisory information.
  • Training certificates.

7.3 Data sharing – within the confines of the lawful basis for processing CCMS Ltd is required to share the following information:

  • Salary and employment information with Her Majesty’s Revenue and Customs (HMRC).
  • Personal information and your right to work documentation will be shared with the employer, deputy, client and the employment law support providers known as Peninsula, Citation and Premier.
  • Limited details with the company pension provider Nest Pensions, or your elected pension scheme.
  • Your personal details will be stored in the accounting system at the company head office.
  • Your emergency contact details will only be shared with senior managers and directors only when needed for making emergency contact.
  • CCMS Ltd will share your personal information collected for the purpose of employment with the relevant employer, client or deputy.

7.4 Retention – Information collected and processed during the recruitment and employment process for all support workers:

  • For all unsuccessful applicants’ personal information will be retained for the duration of the recruitment process and for a period not exceeding 6 months after the recruitment process has been concluded.
  • For support workers recruited on behalf of CCMS Ltd clients/customers, all personal information relating to the recruitment process and subsequent employment will be retained in keeping with the client retention policy.

8. Supplier Personal Information

8.1 Lawful basis for processing - where personal information is collected about suppliers, CCMS Ltd is defined as the data controller and our lawful basis for processing personal information is the performance of a contract between CCMS Ltd and the supplier. CCMS Ltd processes personal information in respect to UK law relating to the provision of goods and services, tax and for the processing of invoices and payments.

8.2 Data collected – The following list is an example of the data that is collected and processed regarding all suppliers of CCMS Ltd:

  • Company name, address, email address and contact telephone numbers.
  • Company contacts including job role.
  • VAT number and company registration number.
  • Bank account information.

8.3 Data sharing – within the confines of the lawful basis for processing CCMS Ltd may share the following information:

  • Accounting information may be shared with Her Majesty’s Revenue and Customs (HMRC) in accordance with normal accounting practice.
  • Limited information may be shared with a representative of CCMS Ltd accounting and auditing service only when absolutely necessary.

8.4 Retention - Supplier information will be retained for the duration of time the supplier is providing goods & services to CCMS Ltd and then for 10 years thereafter.

9. Case Managers’ Personal Information

9.1 Lawful basis for processing - where personal information is collected about case managers, CCMS Ltd is defined as the data controller and our lawful basis for processing personal and sensitive information is the performance of a contract between CCMS Ltd and our customers. Case managers’ personal information is processed in respect of providing services to CCMS Ltd’s customers, to ensure the provision of services and for the processing of invoices and payments.

9.2 Data collected – The following list is an example of the data that is collected and processed regarding all case managers working with CCMS Ltd:

  • Name, address, email address and contact telephone numbers.
  • Company contacts including job role.
  • VAT number and company registration number.
  • Bank account information.
  • Medical qualification, registrations and membership to professional bodies.
  • Insurance information.
  • Work experience.

9.3 Data Sharing – within the confines of the lawful basis for processing CCMS Ltd is may to share the following information:

  • Name, address and contact information may be shared with customers.
  • Accounting information may be shared with Her Majesty’s Revenue and Customs (HMRC) in accordance with normal accounting practice.
  • Limited information may be shared with a representative of CCMS Ltd accounting and auditing service only when absolutely necessary.

9.4 Retention - Case managers’ information will be retained for the duration of time the case manager is registered with CCMS Ltd and available to provide services and then for 10 years thereafter.

10. Customer Personal Information

10.1 Lawful basis for processing - where personal information is collected about customers, CCMS Ltd is defined as the data controller and our lawful basis for processing personal information is the performance of a contract between CCMS Ltd and the customer. Customer personal information is processed in respect of providing services to the customer, to ensure the provision of services and for the processing of invoices and payments.

10.2 Data collected – The following list is an example of the data that is collected and processed regarding all customers of CCMS Ltd:

  • Name, address, email address and contact telephone numbers.
  • Company contacts including job role.
  • VAT number and company registration number.
  • Bank account Information.

10.3 Data Sharing – within the confines of the lawful basis for processing, CCMS Ltd may share the following information:

  • Name, address and contact information may be shared with case managers.
  • Accounting information may be shared with Her Majesty’s Revenue and Customs (HMRC) in accordance with normal accounting practice.
  • Limited information may be shared with a representative of CCMS Ltd accounting and auditing service only when absolutely necessary.

10.4 Retention - Customer information will be retained for the duration of time that CCMS Ltd is case management company to the customer and then for 10 years thereafter, subject to the following alternative retention time periods:

  • If the customer’s client is under 18 years old the 10 years will begin the day after the child has turned 18 (as long as CCMS Ltd is no longer providing case management services to the customer regarding the client in question).
  • If the customer’s client does not have mental capacity records will be retained for 50 years (after CCMS Ltd is no longer providing services to the customer regarding the client in question).

11. Client Personal Information

11.1 Lawful basis for processing - where personal information is collected about customer’s clients, CCMS Ltd is defined as the data processor and our lawful basis for processing personal and sensitive information is the performance of a contract between CCMS Ltd and the customer. Client personal information is processed in respect of providing services to the customer, to ensure the provision of services and for the processing of invoices and payments.

11.2 Data collected – The following list is an example of the data that is collected and processed regarding all client of CCMS Ltd:

  • Name, address, email address and contact telephone numbers.
  • Age, gender, race and religious background.
  • Medical records, doctor’s notes and treatment records.
  • Criminal history.
  • Personal contact information of family members and support workers.
  • Legal representatives.
  • Litigation casework.
  • Any additional information relevant to the management of risk and the provision of services to the customer.

11.3 Data sharing – within the confines of the lawful basis for processing CCMS Ltd is may to share the following information:

  • All client data may be shared with CCMS Ltd’s nominated case manager for the provision of services to the client.
  • Only personal and sensitive information deemed as absolutely necessary will be shared with the appointed case manager.

11.4 Retention – information will be retained for the duration of time that CCMS Ltd is case management company to the customer and then for 10 years thereafter. Subject to the following alternative retention time periods:

  • If the customer’s client is under 18 years old the 10 years will begin the day after the child has turned 18 (as long as CCMS Ltd is no longer providing case management services to the customer regarding the client in question).
  • If the customer’s client does not have mental capacity record will be retained for 50 years (after CCMS Ltd is no longer providing services to the customer regarding the client in question).

12. Transfer of Personal Information Outside the EU

In accordance with the provisions of the DPA and the GDPR CCMS Ltd will not transfer any information (personal or sensitive) outside the EU for processing either directly or by a 3rd party.

Where data is processed by a 3rd party system or service, CCMS Ltd affirms that these services are fully DPA and GDPR compliant and all information is stored within EU data centres.

Where the client resides in a country outside of the EU CCMS Ltd will take any steps necessary and as required by the laws applicable in the client’s country of residence to processes personal information.

13. Information Retention

Personal and sensitive information will only be retained for as long as necessary to fulfil the lawful basis for processing and in accordance with the CCMS Ltd retention policy and as detailed in sections 5 to 11 of this policy. CCMS Ltd is required to retain records to comply with insurance and indemnity policies and may refuse any request to destroy client and support worker personal information if it is made before the relevant retention policy has expired.

Where CCMS Ltd stops providing services to a customer or client and is retaining data in line with the retention policies detailed in section 5 to 9 it will respect the data subject privacy at all times. 3 months after services to the client/customer have finished the retained records will be moved into a secure archive with only extremely limited access available. All operational staff will not have access to archived records.

All financial information relating to any transaction will be retained for a minimum of six years to begin the year after the financial year that the transaction was completed. This is in accordance with guidelines set out by the HMRC.

It is important to note that in some circumstance it may not be possible to destroy a limited amount of personal and sensitive information when the relevant retention policy expires. These include backups of electronic documents and email communications that may be securely archived. Deletion of any such material will take place when the opportunity to do so arises.

14. Data Access

Access to all personal and sensitive information processed by CCMS Ltd will only be granted on a “least privileged” basis only. This means that only people that have a specific need to perform a function vital to the lawful basis for processing will be granted access.

All access to personal or sensitive information processed by CCMS Ltd is reviewed and audited on a regular basis.

All electronic data is backed in a secure manner for the purpose of disaster recovery and data loss prevention. Access to information in the backup systems is restricted to all users excluding those persons charged with the support of the IT infrastructure.

15. Personal Data Breaches

Where CCMS Ltd is the data controller for information and when breach has occurred, an immediate investigation will be conducted and the breach will be reported to the Information Commissioner within 24 hours.

Where CCMS Ltd is the data processor for information and when breach has occurred, an immediate investigation will be conducted and the breach will be reported to the relevant data controller within 12 hours. A record of any personal data breach will be retained indefinitely.

16. Website Cookies

CCMS Ltd website uses cookies. A cookie is a small file of letters and numbers that is sent to and stored on your computer to allow the collection of standard internet log information and visitor behaviour information in an anonymous form.

The cookies used are 'analytical' cookies. They allow recognition and count the number of visitors to see how visitors move around the site when using it. This helps with improving the way the website works, for example by making sure users are finding what they need easily. Similar information about site usage is also gathered from the web servers log from log files.

CCMS Ltd does not use cookies or log files to personally identify information about individuals, nor is the information gained from the use of cookies shared with any 3rd party.

CCMS Ltd website advertises the use of cookies on the home page which also provides a link to this privacy policy.

17. Individual Rights

17.1 The right to be informed - CCMS Ltd recognises the right to be informed and will provide each data subject a copy of this privacy policy before commencement of the processing of personal information.

17.2 The right of access - CCMS Ltd recognises the right to access any personal and sensitive information processed by CCMS Ltd from the data subject, or in the case of a client any lawfully appointed representative. CCMS Ltd will provide any information requested under the right to access free of charge and within 28 working days of the request.

17.3 The right of rectification - CCMS Ltd recognises the right to rectify any personal and sensitive information processed by CCMS Ltd from the data subject, or in the case of a client, any lawfully appointed representative. CCMS Ltd will make any required rectification requested under the right to rectification free of charge and within 28 working days of the request.

17.4 The right to erasure - CCMS Ltd recognises the right to erasure and will consider all requests on a case by case basis, requests may only be denied where significant legal or technical reasoning prevents the destruction of records. All requests will be responded to within 28 working days. Where records are not deleted the right to restrict processing will automatically be considered as an alternative.

17.5 The right to restrict - CCMS Ltd recognises the right to restrict the processing of personal and sensitive information and will consider all requests on a case by case basis, requests may only be denied where significant legal or technical reasoning prevents the destruction of records. All requests will be responded to within 28 working days.

17.6 The right to portability - CCMS Ltd recognises the right to portability and will cooperate with the relevant data controller as required.

17.7 The right to object - CCMS Ltd recognises the right to object, however, this right does not apply to CCMS Ltd’s lawful basis for processing personal and sensitive information.

17.8 Rights in relation to automated decision making and profiling - CCMS Ltd does not conduct any profiling and does not rely on any automated decision-making process.

18. Accountability and Governance

18.1 CCMS Ltd has implemented the following data protection policies:

  • CCMS Ltd Privacy Policy.
  • CCMS Ltd Information Communication & Technology Security Policy.
  • CCMS Ltd Backup and Disaster Recovery Policy.
  • CCMS Ltd Data Retention Policy.
  • CCMS Ltd Customer Data Processing & Sharing Agreement.
  • CCMS Ltd Information Sharing Agreement.
  • CCMS Ltd Breach and GDPR Rights Policy.

18.2 All policies relating to the processing of personal and sensitive information will be reviewed on an annual basis.

18.3 CCMS Ltd has appointed a specific individual to perform the functions of a data protection officer.

Any concerns regarding data protection, privacy or information governance can be reported in confidence to dataprotection@ccmservices.co.uk

19. Third Party Services Used by CCMS Ltd

Here are links to the privacy policies of the third party services used by CCMS Ltd.

20. Policy Review and Version Control

  • This policy is reviewed annually an updated accordingly.
  • Version Control – the table below details the history of updates to this policy.

 

Click here to download our Privacy Policy

 

Breach and GDPR Rights Policy

Version 1

Introduction & Description - This policy defines the process for reporting a breach of personal data, subject access requests and how Community Case Management Services Ltd will ensure the individual rights as established in the General Data Protection Regulations. 

1. Definitions 

For the purpose of this policy the following definitions apply: 

  • CCMS Ltd means Community Case Management Services Ltd. Any reference to CCMS Ltd within this policy refers to the legally established company of Community Case Management Services Ltd, which is listed with Companies House under reference 06774087.
  • Company head office means CCMS Ltd, Unit 23 & Unit 18b Blackwell Business Park, Blackwell CV36 4PE.
  • Case managers means nursing, healthcare or other qualified professionals appointed to manage the case that are legally separate trading entities (either self-employed sole traders or limited companies) that are appointed by CCMS Ltd to provide case management services.
  • Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about.
  • Data controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed.
  • Data processor in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • Processing in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.
  • Information Commissioners Office – the ICO is the UK regulatory authority and the agency responsible for information privacy and legislation in the UK.
  • Individual rights mean the 8 rights for individuals as set out in the GDPR.

 2. Definition of a Breach of Data Protection

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever the following occur:

  • Any personal data is lost, destroyed, corrupted or disclosed
  • If someone accesses the data or passes it on without proper authorisation
  • If the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

Some more specific examples of data breaches may be described as follows, however this list is not exhaustive:

  • Access by an unauthorised third party
  • Deliberate or accidental action by a controller or processor
  • Sending personal data to an incorrect recipient
  • Computing devices containing personal data being lost or stolen
  • Alteration of personal data without permission
  • Loss of availability of personal data

Any incident that involves the actual or potential loss, disclosure or any other security incident relating to personal and sensitive information shared with CCMS Ltd must be investigated to determine whether a breach of personal data has occurred.

3. Investigation

Where an incident occurs that may have the potential to constitute a personal data breach this incident must be reported to a senior manager and will in all instances be fully investigated by the data protection officer.

All potential incidents reported to the data protection officer will be recorded permanently and may be referred to in future investigations.

The data protection officer will be given full access to the facts and all information relating to the incident. The data protection office may collect the following information during the course of the investigation:

  • A formal interview with the associated individuals
  • Written statements
  • Copies of emails
  • Physical inspection of workspace and any IT hardware involved
  • Previous incident reports/investigations

Actions taken by the data protection officer to investigate the potential incident will not be limited to the points above. All necessary steps will be taken to provide a comprehensive overview of the incident.

Where evidence suggests that a breach of personal data has occurred, the records will reflect that a breach of data protection has occurred, and a formal report will be produced. As a minimum this report will include the following:

  • A brief synopsis of what has occurred
  • An account of the information concerned in the breach
  • Any initial remedial steps that have been taken to secure the breached data
  • Any further recommendations to senior management that may be required
  • Whether the breach needs to be reported to the Information Commissioner’s Office

Where evidence suggests a breach of personal data has not occurred the records will reflect that a security incident was reported, and no breach of personal data occurred and senior management will be informed.

4. Breach Notifications

Where the data protection officer determines a breach has occurred, the severity of the breach will need to be assessed and established. ICO guidance stipulates that the likelihood and severity of risk to people’s rights and freedoms must be established.

If it is likely that the breach will have a significant impact on the rights or freedoms of individuals, then it must be reported to the data controller or the ICO. This will be determined by the data protection officer.

If it is likely that the breach will not have a significant impact on the rights or freedoms of individuals, then it may not be reported to the data controller or the ICO. It will be the decision of the data protection officer to not report the incident.

All breaches of personal data will be reported to senior management who may take any action forward as an internal matter and this may not exclude disciplinary action where appropriate.

5. Reporting Breaches where CCMS Ltd is the Data Controller

Where it has been established that CCMS Ltd is the data controller and the risk to people’s rights and freedoms has been assessed as likely and high, the data protection officer will report the breach to the ICO directly.

Where possible the report will be made within 24 hours. If not technically feasible to report the breach within this timescale it will be made as soon as possible thereafter. Only significant technical reasons will be acceptable in delaying the report.

6. Reporting Breaches where CCMS Ltd is the Data Processor

Where it has been established that CCMS Ltd is the data processor and the risk to people’s rights and freedoms has been assessed as likely and high, the data protection officer will report the breach to the data controller directly.

Where possible the report will be made within 12 hours to enable the data controller to report the breach to the ICO within the 72 hour timescale. If it is not technically feasible to report the breach within this timescale, it will be made as soon as possible thereafter. Only significant technical reasons will be acceptable in delaying the report.

7. ICO Investigation and Responses

The data protection officer will liaise with the ICO should the ICO choose to investigate a reported breach. The data protection office will compile all responses to the ICO and will liaise with senior management prior to sending any response to the ICO. 

The data protection officer will ensure any recommendations made by the ICO are complied with, within the desired timescales.

At any time, the directors of CCMS Ltd may be called upon by the ICO to answer a case and provide evidence. 

8. The right to be informed

CCMS Ltd recognises the right to be informed and will provide each data subject a copy of this privacy policy before commencement of the processing of personal information.

9. Subject Access Requests

CCMS Ltd recognises the right to access any personal and sensitive information processed from the data subject, or in the case of a client, any lawfully appointed representative, in the form of a subject access request. CCMS Ltd will provide any information requested under the right to access, free of charge.

All subject access requests must be made in writing and sent to the data protection officer directly. Additional steps may be required to ensure the requestor is legally entitled to the information being requested. All requests will be completed within 28 working days.

10. Rectification

CCMS Ltd recognises the right to rectify any personal and sensitive information processed about a data subject, or in the case of a client, any lawfully appointed representative. CCMS Ltd will make any required rectification requested under the right to rectification, free of charge.

All rectification requests must be made in writing and sent to the data protection officer directly. Additional steps may be required to ensure the requestor is legally entitled to make the request. All requests will be completed within 28 working days.

11. Erasure of Information

CCMS Ltd recognises the right to erasure and will consider all requests on a case by case basis. Requests may only be denied where significant legal or technical reasoning prevents the destruction of records. Where records are not deleted, the right to restrict processing will automatically be considered as an alternative.

All erasure requests must be made in writing and sent to the data protection officer directly. Additional steps may be required to ensure the requestor is legally entitled to make the request. All requests will be responded to within 28 working days.

Where the request is denied, a full explanation of the request will be provided and the right to restrict processing will be enacted.

12. Restriction of Processing

CCMS Ltd recognises the right to restrict the processing of personal and sensitive information and will consider all requests on a case by case basis, requests may only be denied where significant legal or technical reasoning prevents the destruction of records. 

All restriction requests must be made in writing and sent to the data protection officer directly. Additional steps may be required to ensure the requestor is legally entitled to make the request. All requests will be responded to within 28 working days.

13. Data Portability

CCMS Ltd recognises the right to portability and will cooperate with the relevant data controller as required. Where possible CCMS Ltd will aim to have the request competed within 28 days.

14. Accountability and Governance

CCMS Ltd has implemented the following data protection policies: 

  • CCMS Ltd Privacy Policy
  • CCMS Ltd Information Communication & Technology Security Policy
  • CCMS Ltd Backup and Disaster Recovery Policy
  • CCMS Ltd Data Retention Policy
  • CCMS Ltd Customer Data Processing & Sharing Agreement
  • CCMS Ltd Information Sharing Agreement
  • CCMS Ltd Breach and GDPR Rights Policy
    • All policies relating to the processing of personal and sensitive information will be reviewed on an annual basis.
    • CCMS Ltd has appointed a specific individual to perform the functions of a data protection officer.
    • Any concerns regarding data protection, privacy or information governance can be reported in confidence to dataprotection@ccmservices.co.uk.
    • Any requests in relation to the rights of the data subject detailed in this document must be made in writing by post or by emailing dataprotection@ccmservices.co.uk., All requests will be handled by the data protection officer.

15. Policy Review and Version Control

15.1 This policy is reviewed annually an updated accordingly.

15.2 Version Control – the table below details the history of updates to this policy.